PART 1 - Why Cybersecurity Needs Better Measurements for Risk
This chapter proposes some first steps toward building a quantitative risk assessment. They do this by walking through, what they call the "Rapid Risk Audit." "Its goal is to quickly assess significant risks that can be readily assessed."
They provide a checklist that one could use to conduct this rapid audit:
Part of the challenge is coming up with the upper and lower bound limits and thinking about if some loss happened, for example a data breach, what is the minimum amount of loss (lower bound) we would expect to incur? Likewise, what is the maximum amount of loss (upper bound) we expect to absorb?
While this seems difficult to estimate, they provided an example on thinking about ranges:
"You're likely not a veterinarian, zoologist, or a big game hunter. Yet I bet you know something about the weight of an elephant--without having to use Google. You could even estimate the weight of a specific elephant at a specific zoo. You know that an elephant weighs more than 10 pounds. You may also have good reason to believe that 100,000 pounds would be an impossible weight for an elephant. In fact, you could likely come up with a much more reasonable range if pressed."
On occasion, I have been pressed in a very similar circumstance. Every year at my small home town festival, there's a booth where they bring in a steer or a couple of sheep or goats and allow you to guess the total weight to win prize money. While I've never been fortunate enough to win the prize, I wager a guess nonetheless. (It's free to guess, so why not?) So this example made perfect sense to me. It's likely after putting some thought into this to come up with a reasonable estimate for an upper and lower bound. Later, as we learn more information, we can plug in better bound limits.
"The point of risk analysis", they state, "is to support decisions." This applies to both quantitative and qualitative analysis. But the traditional risk matrix used in qualitative analysis offers little guidance to leadership (e.g. CISO).
Since it's unlikely an organization would only deal with one scenario per year, the authors go on to describe the Monte Carlo simulation method. "This method uses a computer to generate a large number of scenarios based on probabilities for inputs. For each scenario, a specific value would be randomly generated for each of the unknown variables. Then these specific values would go into a formula to compute an output for that single scenario. This process usually goes on for thousands of scenarios." Running a simulation could then provide an answer to the question "Given all the threats, what is the chance that the total losses will exceed $20 million in a single year?"
The authors go on to provide examples, formulas and accompanying material which is beyond the scope of a blog post. My intent is to share a couple highlights from this chapter that I learned and particularly caught my attention.